Skip to main content

Release 26.1

Release 26.1 – Driving Greater Visibility, Accuracy, and Control

Xshield 26.1 delivers meaningful platform enhancements focused on improving risk accuracy, expanding visibility across environments, and strengthening operational efficiency. This release refines how breach risk is measured, enhances Spark-based capabilities, expands platform support, and introduces greater flexibility across cloud and AI integrations.

Together, these updates provide customers with more precise security insights, improved scalability, and stronger control across hybrid and multi-cloud environments—helping organizations reduce risk with confidence and clarity.

Improved Breach Risk Scoring for Assets

Overview

Xshield has updated the way breach risk scores are calculated for assets to provide a more accurate and meaningful representation of real security risk. The revised scoring model places stronger emphasis on actual risk reduction controls, particularly around port-level exposure, while reducing reliance on high-level status indicators.

As a result of this improvement, some customers may observe higher risk scores for certain assets. This does not indicate reduced security, but rather reflects a more precise measurement of exposure and protection effectiveness.

What's Changed

The updated scoring model shifts focus toward what materially reduces breach risk, with key changes including:

  • Greater emphasis on securing ports - Assets are now rewarded more for explicitly securing risky and non-risky ports, especially those associated with known lateral movement techniques or security advisories.
  • Risk-based differentiation of ports - Ports identified as high risk contribute more significantly to the score, while lower-risk ports carry proportionally lower weight.
  • Reduced reliance on path-level and status-based indicators - Previously rewarded signals such as reviewed paths and asset status states now carry little or no weight, as they are indirect indicators of risk.
  • Improved inbound and outbound coverage - New parameters account for outbound enforcement and progressive Zero Trust states, providing a more complete view of asset exposure.
  • Refined weighting logic - Several inputs now use multiplicative weighting instead of additive scoring, ensuring that critical risk factors meaningfully influence the final score.

Why This Matters

The previous model could over-reward partial or indirect security actions, such as reviewing paths, while under-representing the impact of explicit port-level protections. The updated approach aligns scoring with how breaches actually occur and spread.

Customer Impact & Value

  • Provides a more accurate reflection of real breach risk
  • Highlights assets that require attention based on actual exposure, not procedural progress
  • Encourages security efforts that directly reduce lateral movement and attack surface
  • Improves prioritization for remediation and Zero Trust adoption
Important

Risk scores may increase for some assets as a result of this update. These changes reflect improved risk fidelity, not a regression in security posture.

Breach Readiness Impact Assessment (BRIA) Report – Measuring Real Breach Risk

Overview

This release introduces the Breach Readiness Impact Assessment (BRIA) report — a new way to evaluate breach risk by answering a critical question:

"What is the real business impact of a breach, and how quickly can it be contained?"

Unlike traditional security reports that focus only on technical exposure, BRIA translates security posture into business outcomes, helping organizations understand cyber risk in financial, operational, and recovery terms.

What's New and Why It Matters

  • Business Impact Quantification - Estimates breach impact across financial loss, downtime, and time to containment, shifting discussions from vulnerabilities to measurable risk.
  • Breach Readiness vs. Static Posture - Assesses an organization's ability to contain and recover from breaches, not just prevent them.
  • Clear Before-and-After Outcomes - Demonstrates how Zero Trust segmentation reduces blast radius, containment time, and operational disruption.
  • Executive-Ready Insights - Includes an executive summary and assessor perspective for board, audit, and risk discussions.

Key Differentiators

  • Outcome-Driven, Not Control-Driven - Goes beyond vulnerability counts by linking security controls to business resilience.
  • Actionable Remediation Roadmap - Provides prioritized findings and a time-bound execution plan.
  • End-to-End Breach Coverage - Analyses both internet exposure and lateral movement paths for a complete breach view.

Customer Value

  • Enables leadership to make risk-informed investment decisions.
  • Helps security teams demonstrate the business value of Zero Trust segmentation.
  • Delivers a clear, defensible narrative for internal and external stakeholders.

Bring Your Own LLM (BYO-LLM) Support

Overview

Xshield now supports Bring Your Own LLM (BYO-LLM), allowing customers to integrate external Large Language Model providers to power Generative AI capabilities within the platform. This enables organizations to adopt AI-driven features while aligning with their privacy, governance, and deployment requirements.

For SaaS tenants, Generative AI is enabled by default using a platform-provided LLM. BYO-LLM extends this capability by allowing customers to override the default provider or enable Generative AI in on-premises environments.

Key Highlights

  • Support for customer-managed LLM providers for Generative AI features.
  • Ability to override the default SaaS LLM with a preferred provider.
  • Enables Generative AI capabilities for on-premises deployments.
  • Currently supports integration with OpenAI and Azure OpenAI.
  • Option to disable Generative AI at the tenant level for compliance or policy reasons.

Customer Value

  • Data control and privacy: Use private or enterprise-managed LLMs to meet governance requirements.
  • Deployment flexibility: Bring Generative AI to both SaaS and on-prem environments.
  • Choice and control: Select models and providers that align with organizational standards.
  • Future-ready AI adoption: Leverage AI capabilities without locking into a single provider.

Deployment Flexibility

  • SaaS tenants can continue using the default LLM with no configuration changes.
  • BYO-LLM can be configured through the Integrations page for supported providers.
  • Generative AI can be enabled, overridden, or disabled at the tenant level based on policy needs.

AWS Cloud Visibility with Cloud Connector

Overview

Xshield now extends cloud visibility support to Amazon Web Services (AWS), enabling organizations to gain insight into AWS workloads and communication patterns alongside Azure from a single platform.

Using the Xshield Cloud Connector, customers can discover AWS resources across accounts and regions and visualize network and application traffic using AWS-native telemetry sources. This capability focuses on asset discovery and traffic visibility, providing foundational context for understanding cloud exposure and behavior.

Key Highlights

  • Automated discovery of AWS resources across accounts and regions.
  • Visibility into network traffic using AWS VPC Flow Logs.
  • Application-level visibility using AWS X-Ray traces (where enabled).
  • Intelligent grouping and filtering using AWS-native metadata such as VPCs, subnets, and tags.
  • Unified cloud visibility alongside Azure and on-prem environments.

Supported AWS Services for Visibility

The Cloud Connector provides discovery and visibility for the following AWS services (support may vary by release):

  • Amazon EC2
  • Amazon RDS
  • Amazon API Gateway
  • AWS Lambda
  • Amazon S3
  • Amazon DynamoDB

Customer Value

  • Centralized visibility into AWS assets and traffic without deploying agents.
  • Faster understanding of cloud communication patterns and external exposure.
  • Simplified cloud posture analysis across multiple AWS accounts and regions.
  • Consistent cloud visibility model across AWS and Azure.

Enhanced Ecosystem Integrations

  • Leverages AWS-native constructs such as VPCs, subnets, tags, and IAM roles.
  • Integrates directly with AWS accounts and regions.
  • Uses AWS-native telemetry sources (VPC Flow Logs and X-Ray) for traffic insights.
  • Supports hybrid and multi-cloud visibility within the Xshield platform.

Deployment Flexibility

  • Operates agentlessly using AWS APIs and native telemetry services.
  • Supports visibility across multiple AWS accounts, regions, VPCs, and supported services.
  • Designed to scale for both centralized and decentralized AWS environments.

Scope-Based RBAC Support

Overview

This release introduces Scope-Based RBAC, enabling administrators to precisely control what users can see and what actions they can perform within Xshield.

Access is governed by a combination of Role (what actions are permitted) and Scope (which assets and resources are visible), allowing teams to enforce least-privilege access at scale.

Scopes are defined using tag-based constraints, ensuring users interact only with assets relevant to their responsibility.

Key Highlights

  • Combines Role-based permissions with tag-based scopes for granular access control.
  • Scopes automatically filter resources such as Assets, Segments, and Tag Rules.
  • Supports flexible scope definitions using existing asset tags (e.g., environment, application, location).
  • Enforces least privilege by restricting visibility to in-scope assets only.
  • Admin and Auditor roles retain full visibility and are excluded from scope restrictions.

Customer Value

  • Least Privilege by Design: Users only see and act on assets relevant to their role and responsibility.
  • Improved Security Posture: Reduces accidental changes and unauthorized access.
  • Operational Simplicity: Eliminates the need to create and manage numerous custom roles.
  • Scalable User Management: Easily onboard teams across environments, applications, or regions using tags.

Deployment Flexibility

  • Scopes are defined using existing asset tags with no schema changes required.
  • Each user is assigned a single role and an optional scope.
  • Scope enforcement is applied automatically across the platform.
  • Fully compatible with existing role definitions and access workflows.

Optimize Policy Templates with Policy Rule Analyzer Usage Insights

Overview

As Zero Trust environments grow, segmentation templates can accumulate numerous rules—many of which may no longer reflect active network behaviour. Xshield's new Policy Rule Analyzer helps security teams make data-driven decisions about which rules to retain, refine, or remove by tracking real-time rule usage.

Every time a rule is matched against observed traffic, Xshield records how often and when it was last used. This detailed usage telemetry empowers users to search for low- or zero-usage rules, making it easier to identify redundant or outdated entries and streamline template management—without risking accidental disruption.

Key Highlights

  • Per-Rule Usage Telemetry: Automatically records how often each rule has been matched and the timestamp of its last usage.
  • Searchable Insights: Easily filter and find rules with low or no recorded usage across policy templates.
  • Safe Cleanup Process: Surface rules with low usage for manual review—no automatic deletion or enforcement changes.
  • Real-Time Feedback Loop: Monitor the impact of segmentation rules in production and refine them based on actual usage data.

Customer Value

  • Actionable Intelligence: Understand which rules are actively contributing to policy enforcement—and which aren't.
  • Streamlined Templates: Reduce template bloat and eliminate rule clutter based on measurable usage, not guesswork.
  • Change with Confidence: Refine or retire low-usage rules without fear of disrupting legitimate traffic.
  • Continuous Improvement: Use real-world telemetry to evolve segmentation strategy over time, based on how the environment behaves.

Enhanced Ecosystem Integrations

Rule Analyzer integrates seamlessly with Xshield's existing rule and template workflows:

  • Complements traffic visualizers and template editors
  • Works across segment-level and asset-level templates
  • Enables cross-team collaboration during policy audits and change control

Deployment Flexibility

Rule usage tracking is automatically enabled for all segmentation rules defined via templates:

  • No additional configuration or agent updates required
  • Works across cloud, on-premise, and hybrid environments
  • Supports workloads protected via the Xshield agent or Spark
  • Rule usage data is immediately available in template views and audit tools

Extended Linux Distribution Support

Xshield now expands platform compatibility and enables broader deployment for the below enterprise Linux environments, helping organizations extend consistent visibility and enforcement across their Linux infrastructure.

  1. AlmaLinux
  2. SUSE Linux Enterprise Server 11
  3. SUSE Linux Enterprise Server 12

Spark Sensor Page – Centralized Management for EDR Assets

Overview

Introducing the Spark Sensor Page, providing a centralized view and management interface for all EDR assets running ColorTokens Spark. Manage Spark-enabled assets and perform operational actions at scale.

Key Highlights

  • Dedicated Sensors → Spark page for monitoring Spark assets, including their status, last execution time, and tags.
  • Familiar interface aligned with the Agents page for ease of use.

Operational Capabilities

  • Diagnostics Collection: Collect system and network diagnostic data from Spark-enabled EDR assets to support troubleshooting and analysis.
  • Debug Logging Control: Enable or disable debug logs on selected Spark assets for deeper operational insight when required.

Customer Value

  • Simplifies management of Spark-based enforcement across EDR environments.
  • Improves operational visibility and troubleshooting efficiency.
  • Reduces effort by enabling bulk actions from a single interface.

Spark Enhancements – Listening Process Visibility & Improved Policy Handling

Overview

This release introduces enhancements to Xshield Spark to improve visibility and streamline policy programming workflows.

Key Highlights

  • Listening Process Visibility: Spark now collects listening process information during execution and surfaces it in the Dashboard, providing clearer insight into active services on managed assets.
  • Optimized Policy Pre-Checks: Pre-requisite checks for policy programming (nftables) are now performed only when policies are being programmed, rather than during every Spark run.
  • Enhanced Firewall Log Processing: Improved firewall log collection and upload handling to efficiently process larger log volumes, particularly in environments where Spark executions are less frequent.

Customer Value

  • Better visibility into listening services for improved policy accuracy.
  • Reduced operational overhead and faster Spark execution cycles.
  • Improved scalability and reliability in firewall log ingestion over extended time ranges.
  • Stronger backend resilience without requiring any configuration changes.

Deployment Flexibility

  • Automatically available with the latest Spark version.
  • No additional configuration required.

CrowdStrike–Spark Integration

Overview

Xshield now supports applying Zero Trust policies on CrowdStrike-managed hosts using Spark. This is recommended for any new CrowdStrike integrations. This capability enables Spark-based enforcement while maintaining full compatibility with existing policy enforcement logic and workflows.

Key Highlights

  • Enables Zero Trust policy enforcement on CrowdStrike-managed hosts using Spark.
  • Fully compatible with existing enforcement mechanisms.
  • No changes required to current policy definitions or workflows.
  • Supports both traditional and Spark-based enforcement paths.

Customer Value

  • Expands enforcement options for environments using CrowdStrike.
  • Enables a gradual and flexible adoption of Spark without disruption.
  • Ensures consistent policy enforcement across endpoints.
  • Reduces operational complexity by preserving existing workflows.

Deployment Flexibility

  • Supports both existing and Spark-based enforcement models.
  • Can be adopted selectively per environment or endpoint.
  • Works seamlessly with current CrowdStrike-integrated deployments.

Create Tag Rules for Security Groups

Overview

This release introduces support for creating tag rules based on user security groups.

While segments cannot be created directly using user security groups, this capability allows assets to be automatically tagged based on their associated user security group and then placed into the appropriate segments through existing tag-based segmentation workflows.

Key Highlights

  • Create tag rules using user security group as a matching criteria.
  • Automatically apply tags to assets based on user group membership.
  • Works seamlessly with existing tag-based segment definitions.
  • Ensures newly onboarded assets are classified correctly from day one.

Customer Value

  • Simplifies segmentation workflows where user identity or group membership is important.
  • Reduces manual tagging and post-onboarding adjustments.
  • Ensures consistent and accurate asset placement as environments scale.

Deployment Flexibility

  • Works alongside existing tag rules and segmentation logic.
  • Requires no changes to current segment definitions.

Application Control (Preview) – Application Execution Blocking on Windows

Overview

Xshield currently provides security controls at the network and service communication layer (IP, Port, Protocol, and Process), enabling organizations to build granular Zero Trust policies for workload communication.

With this release, the platform is being extended to include execution-layer control on Windows endpoints. As part of this preview capability, operators can define rules to block specific applications or publishers from launching — for example, preventing the execution of Firefox on selected user endpoints.

This enhancement allows customers to not only control how applications communicate over the network, but also restrict whether certain applications can run at all, strengthening host-level protection.

This feature is intended for early adopters and controlled trial environments, enabling security teams to evaluate execution-layer blocking before broader feature expansion.

Current Scope (Preview Capabilities)

  • Block application execution based on publisher or software name
  • Enforcement uses native Windows execution controls
  • Designed specifically for execution blocking only in this phase
  • Supported on Windows Server 2016 and above only

Customer Value (Preview Use Cases)

  • Evaluate execution-layer blocking for high-risk or unwanted applications
  • Reduce exposure to known unauthorized tools in controlled environments
  • Provide early feedback to influence feature evolution

Enhanced Ecosystem Integrations

  • Integrates with existing template workflows
  • Applications or publishers can be added to block templates

Important Preview Limitations

As part of this controlled rollout, the feature currently provides basic blocking functionality only.

The following capabilities are not included in this release:

  • No UI visibility for application block events
  • No audit/event-level reporting within the Xshield console
  • No allow-listing model at this stage
  • Limited management controls compared to mature Application Control solutions

Availability & Licensing

This capability is available on request as a preview feature and is currently intended for testing and feedback purposes.

As an early-stage preview release, capabilities may expand in future versions and are expected to follow standard licensing upon general availability.

tip

How Application Control Differs from Process-Based Policies

  • Process-Based Policies control network communication for running processes (ports, protocols, destinations).
  • Application Control operates at the execution layer, preventing applications from launching altogether.

These capabilities address different layers of control and can be used together where appropriate.

Product Documentation Availability

Xshield product documentation has been refreshed to reflect the latest platform updates. All newly introduced features are now documented, and existing articles have been updated to ensure accuracy and completeness.

We encourage you to take advantage of these resources. Ongoing updates will continue as new capabilities evolve.